Research Menu

Skip Search Box

Network Anomaly Detection Algorithm


THERMINATOR, Pattern-less Intrusion Detection (PID), Anomaly Detection

Technical Challenge:

The President's Commission on Critical Infrastructure Protection documents that network security and intrusion detection are critical to the U.S. government military, commercial, transportation, and financial infrastructures, Sensing and abating intrusions is key. Advances in intrusion detection techniques have not kept pace with the staggering data increases that network analysts have to process. Technology projections are that networks will carry 100 -1000 times their existing capacity by the decade's end. Current intrusion detection schemes recognize known intrusion scripts, but fall short of effectively and comprehensively finding and displaying new attacks or variants of known attacks.


Detecting anomalies in modern and future communications systems is significantly beyond unaided human capabilities and is difficult or incomplete with existing intrusion detection technologies. This is especially true given the massive size of existing and projected real time and archived data sets and underscores the need to develop radically new automated approaches.

Most current communications network intrusion detection schemes compare incoming traffic to stored "dictionaries" of known intrusion scripts. Dictionaries with tight comparison tolerance(s) risk missing attacks that are comparatively simple variants of the known ones. Loose comparison tolerance(s) produce disproportionately high false alarms that are troublesome and time consuming for the analysts.

There is increased evidence that complex communications systems can be characterized using known physical and scientific processes. Generations of mathematicians, physicists, chemists and engineers have perfected a wide body of physical and chemical strategies, statistical mechanics, and topological techniques to model systems, reduce data, and describe the time and even the spatial variance of complex systems.

The THERMINATOR technology is based on these scientific principles and strategies. The technique is a powerful amalgamation of proven physical science theories, desktop computer power, multi-dimensional graphics, network modeling, and data reduction techniques. The result is an organized representation of communications activity into a format that is comprehensive yet easy to understand.

There are three main THERMINATOR elements: (1) the network modeling portion, (2) the compute engine (based on physical processing) and (3) the multi-dimensional graphics (with click and point facility). THERMINATOR displays the output so that analysts can easily spot anomalies and access the data (click and point) that produced it. Its pattern-less approach saves analytical time and is designed to search for new attacks.

Research tests validated that THERMINATOR detected anomalies that standard intrusion detection schemes missed. During field tests, on a large operational network, THERMINATOR found anomalies that the intrusion detection systems did not capture. It also identified improper equipment configurations in the network intrusion devices.

Demonstration Capability:

Demonstration requires implementing THERMINATOR code on an operational network, using a desktop computer with the appropriate processing power and sufficient memory for archiving, and a requisite level of engineering, computer science, and or mathematical understanding. Various networks may require specialized interface code to adapt it to a particular system.

Potential Commercial Application(s):

Patent Status:

Issued - United States Patent Number 6,470,297

Reference Number: 1155

If you are interested in exploring this technology further, please express your interest in writing to the:

National Security Agency
NSA Technology Transfer Program
9800 Savage Road, Suite 6541
Fort George G. Meade, Maryland 20755-6541


Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15 2009